A typical data communications network includes an interconnection of one or more data communications devices and data links that support the exchange of information between a number of host computer systems coupled to the network. A few interconnected devices (computer systems and data communications devices) may form such a network, or there may be many hundreds or thousands of such devices in a single network. Typically, an organization such as the federal government, a corporation, or an educational institution independently owns, manages and operates the data communications devices, computer systems and data links that form a data communications network. Those skilled in the art generally consider a network such as the Internet to be a large collection of the separate but interconnected, independently owned and managed data communications networks.
Generally, data communications networks operate by transporting data portions such as packets, cells, frames or the like (collectively referred to herein as packets) over the interconnection of data links in the network between various computer systems and data communications devices. Each computer system and data communications device on a data communications network typically requires at least one associated network address to perform data communications on the network. The network address is frequently a numerical arrangement such as an Internet Protocol (IP) address of the form xe2x80x9cN.N.N.Nxe2x80x9d where each N ranges between xe2x80x9c0xe2x80x9d and xe2x80x9c255xe2x80x9d. An address uniquely identifies a device such as a single computer system within the network. Data communications devices can use the address of a specific computer system, for example, to route and deliver packets of data to that system as opposed to other computer systems within that network, much like a postal address uniquely identifies a specific delivery destination for a parcel of mail.
As an example, to send data through a data communications network, a source computer system (e.g., an end user host computer) creates a packet of data and places a destination address of a destination computer system into a field in the packet and then transmits the packet onto the network. Data communications devices in the network such as routers and switches that receive the packet can examine the destination address of the packet and can transmit the packet onto appropriate data link(s) in order to forward the packet towards the computer system specified by the destination address of the packet. Data packets travel across the network in this manner, data link by data link (i.e., hop by hop), until they eventually reach the portion of the network (i.e., the data link or sub-network) that contains a coupling to the computer system specified by the destination address in the packet. The destination computer system can detect and receive the packets and extract the data within the packets for use by an application.
The devices (computer systems and data communications devices such as routers and switches) within a single data communications network frequently are configured to operate using a set of related network addresses. The group or range of related addresses that can be used for devices within a network is sometimes called the xe2x80x9cdomainxe2x80x9d of the network. To obtain a range of addresses for use in a network such as the Internet (i.e., to obtain a domain), a system administrator (a person responsible for managing devices and computer systems within a network) requests the domain from a network address assignment organization such as Network Solutions Corporation (formerly known as InterNIC). The purpose of the network address assignment organization is to ensure that a domain and any associated address range assigned to computer systems within a particular network is/are not duplicated elsewhere (e.g., within another interconnected network). An example of a network domain is the familiar xe2x80x9cdot comxe2x80x9d notation such as xe2x80x9ccompany.com,xe2x80x9d where xe2x80x9ccompanyxe2x80x9d is the name of a commercial organization to which the domain is assigned. Within a data communications network, the domain xe2x80x9ccompany.comxe2x80x9d translates into a specific network address and defines a range of sub-addresses that can be used within a network of this domain.
Data communications system developers have created various prior art mechanisms to assign individual network addresses to devices that are coupled to a data communications network. As a simple example, a systems administrator can manually configure each computer system or data communications device in a network with a specific network address. A network address assigned to a particular computer system should, in most cases, be unique to that host. This avoids instances of address duplication in which two hosts are accidentally assigned the same network address. Address duplication is a common error that can occur when a systems administrator uses a manual configuration process to assign network addresses in a network.
Many computer networks are divided into sub-networks. Each sub-network typically couples a number of computer systems together that have a related purpose, such as the computer systems in an engineering department, an accounting department, and so forth. Typically, for proper network operation, a systems administrator should configure all computer systems coupled to a specific sub-network with a sub-range of related addresses. However, computer systems are sometimes moved from one sub-network to another. Each time a computer system is moved in this manner, the systems administrator must manually re-configure the address for the computer system to properly operate on the next sub-network to which it is coupled. Again, the process of manually configuring network addresses can become quite cumbersome and is prone to error.
To solve such problems and to simplify the process of assigning addresses to computer systems (or other networked devices), data communications system developers have created prior art address assignment protocols that can dynamically assign network addresses to computer systems and devices in an automated manner. One example of such a prior art address assignment protocol is the Dynamic Host Configuration Protocol (DHCP). While a brief overview of DHCP is provided below, complete details on the operation of DHCP can be found in the DHCP standard, which is fully documented in Request for Comment 2131 (RFC-2131) which is now an Internet standard and is maintained by the Internet Engineering Task Force (IETF). RFC-2131 is hereby incorporated by reference in its entirety. Documentation for such standardized network protocols including PFC-2131 is available on the World Wide Web at a web site maintained by the IETF.
A DHCP server maintains a range or set of available network addresses that may be dynamically assigned, as needed, to computer systems or other devices that couple to the network and request an address for use on that network from the DHCP server. More specifically, when a computer system is coupled to a sub-network within a network and is started-up or xe2x80x9cbootedxe2x80x9d (i.e., the computer is powered on and begins operation), a DHCP client within the computer system sends a DHCP request message onto the network to request specific information required for operation within the network. The DHCP request message can include a request for an assignment of a network address for use by that computer system on the network. One or more DHCP servers that detect such a request can respond or xe2x80x9cofferxe2x80x9d to service the request. There might be a few DHCP servers in a network, for example, to provide redundancy in the event that one DHCP server fails in some manner. The DHCP client in the computer system initiating the original DHCP request message can receive the xe2x80x9coffersxe2x80x9d from each DHCP server and can select one of such offers. The DHCP client can thereafter communicate with that selected DHCP server to obtain the required network address (and possibly other configuration information). The selected DHCP server selects and assigns a network address from the range of available addresses (i.e., the domain) for the requesting computer system and returns the address to the computer system. The DHCP server then informs the other DHCP servers (if others exist) that the selected address is now in use on the network by a specific computer system and that this address should not be subsequently selected for assignment to another computer system until it is released by the computer system.
In this manner, computer systems can be coupled and de-coupled at any time to various sub-networks of a computer network and can negotiate with a DHCP server for an appropriate address for use on that network sub-network. DHCP thus avoids the process of manually configuring an address for use by each computer system each time that computer system is placed on the network or is moved from one sub-network to another.
While prior art address assignment mechanisms such as DHCP make the process of assigning addresses to computer systems easier and less prone to error, they do little to provide security or access control within the network environment in which they operate. By way of example, a typical implementation of prior art DHCP will service or provide xe2x80x9coffersxe2x80x9d to any computer system that requests an assignment of an address for use on a network. If a malicious computer user (e.g., a hacker) couples his or her computer system to a network, a prior art DHCP server within that network will provide that computer system with a valid address in response to a request. The address allows the computer system to perform data communications on the network. There is generally no authentication that takes place between the prior art DHCP client and the prior art DHCP server to determine if the computer system requesting the address is authorized or has permission to obtain the address for use on the network.
Another problem with prior art DHCP servers is that they operate to select addresses for use on the network from a common pool, set or range of addresses. For example, if a company owns a number of computer systems and couples these to a sub-network, each computer system can use its DHCP client to request an address for use on that sub-network from the company""s DHCP server. Likewise, if a guest or visitor to the corporation (friendly or malicious) also couples his or her guest computer system (e.g., a laptop computer) to the same sub-network, the DHCP client on the guest computer system can also request an address from the DHCP server. The DHCP server will select and assign an address to the guest computer system from the same pool or set of address from which address selection was made for the company""s own requesting computer systems, and as indicated above, the DHCP server will do so without any authentication or verification of an identity of the guest computer system.
Prior art DHCP processing thus results in the guest computer system having an address that is indistinguishable from addresses assigned to the company""s own computer systems. In other words, the DHCP server as well as all other network components such as the company""s data communications devices (routers, switches, hubs, gateways, proxy servers, etc.) and other company owned computer systems are unable to distinguish data communications (e.g., packets) sent from or to the guest computer system versus data communications sent to or from the company""s own computer systems. To this end, the guest computer system has the ability to transfer data communications (e.g. packets) to any and all data communications devices and computer systems anywhere within the DHCP domain. Using such prior art DHCP technology, password or login protection schemes implemented within specific corporate computer systems or data communications devices are the only measure of network security.
The present invention is based in part on the observation that other address assignment techniques such as DHCP can be extended according to this invention to provide an address assignment scheme that provides significantly enhanced network security. Generally, the invention allows an address assignment mechanism such as DHCP to distinguish between guest computer systems and local (e.g., company owned) computer systems that request an address. Based on this guest or local computer system distinction, a DHCP server configured according to this invention, for example, can select and assign guest network addresses to guest computer systems within a local network, and can select and assign local network addresses to local computer systems within the local network. In other words, the invention reserves a set of guest network addresses for assignment to guest computer systems and uses another set of local network addresses for assignment of addresses to local computer systems. A local network and local computer systems are generally defined as a network (e.g., a company""s network) of computer systems that are under the management and control of a single entity and that are served by an address server (e.g., DHCP server) configured according to this invention.
The invention further allows local computer systems and data communications devices within the local network to be aware of the guest address range (or of specific guest addresses) assigned to guest computer systems (or other guest computerized devices). This allows, for example, local data communications devices within the network to limit the number of routes upon which data communications (e.g. packets) sent to or from a guest computer system are transported. As a specific example, data communications devices in a local network might transport guest data communications that contain a guest network address only on certain sub-networks within the network and not on others.
Aside from the general operation of assigning guest addresses to guest computer systems and local addresses to local computer systems, the system of the invention also provides a robust authentication and verification technique that allows a local address server of the invention to authenticate and verify the identity of a computer system or other device (guest or local) requesting assignment of an address. This allows an address server of the invention, for example, to verify that a computer system is either a guest or a local computer system for address selection (i.e., guest or local) and assignment purposes. The verification and authentication techniques of the invention can confer with a remote network verification computer system, such as a remote address server, to confirm that a guest computer system is a member of a remote domain, for example.
More specifically, the system of the invention includes mechanisms, techniques, steps, operations, arrangements, and configurations (all of which are considered embodiments as explained below) for assignment of addresses to requesting computer systems. In one embodiment, the system of the invention provides a method for assigning an address to a computer system. The method includes the steps, techniques and operations of receiving, from a computer system coupled to a first network, a request for an assignment of an address and assigning a guest address as the address for the computer system if the computer system is identified as a guest computer system and assigning a local address as the address for the computer system if the computer system is identified as a local computer system. If the operation of assigning assigns a guest address or a local address to the computer system (it might in some circumstances assign neither), then the operation provides the address assigned to the computer system to the computer system on the first network to allow the computer system to perform data communications on the first network. Since a guest computer is assigned a guest address, all data communications to and from this guest computer system will contain the guest address. As such, data communications devices within the first network can be configured with restricted network access routes that allow data portions containing the guest address to only be routed to certain locations, such between a sub-network containing the guest computer system and the Internet.
In another configuration, the step of assigning includes the steps of determining if the computer system coupled to the first network is a guest computer system or a local computer system. If the system of the invention determines that the computer system is a guest computer system, the operation of selecting an address for the computer system from at least one set of guest addresses is performed, whereas if it is determined that the computer system is a local computer system, the operation of selecting an address for the computer system from a set of local addresses is performed. Since at least two sets of addresses are maintained (a local and at least one guest set), network access control can be provided depending upon which address is assigned to a specific computer system.
According to another configuration, the step of determining discussed above makes a determination if the computer system coupled to the first network is at least one of a guest computer system and a local computer system based on the request for an assignment of the address.
In yet another arrangement, the step of determining if the computer system coupled to the first network is a guest computer system or a local computer system includes the steps of determining if the computer system purports to be associated a remote domain of a second network, and if so, communicating with a verification computer system on the second network to verify if the computer system is associated with the remote domain. This allows an address server such as a DHCP server configured according to the invention to verify the authenticity of a requesting computer system. The operation continues by receiving an indication, from the verification computer system on the second network, that indicates if the computer system is associated with the remote domain or not.
In certain configurations of the invention, encryption (e.g., public key technology) is used for communications between various system components to verify the authenticity and identity of the components involved in communications with each other. For example, in one embodiment, the operation of receiving an indication from the verification computer system (which itself may be an address server for the second network) on the second network includes the steps of obtaining clear text information and a doubly encrypted version of the clear text information in the indication from the verification computer system. The operation continues by obtaining a public key associated with the verification computer system and decrypting the doubly encrypted version of the clear text information with a private key of an address server receiving the indication to produce a result and then decrypting the result with the public key of the verification computer system to produce a final result. Then, the operation compares the final result with the clear text information to verify the authenticity and identity of the verification computer system.
In another arrangement, the operation of selecting an address for the computer system from one set of guest addresses selects a guest address for the computer system based on an identity of the computer system as specified in the indication received from the verification computer system on the second network.
In another configuration, the set(s) of guest addresses includes a plurality of sets of guest addresses and the step of selecting an address for the computer system from a set of guest address includes the steps of determining an identity of the computer system requesting an assignment of an address and selecting one set of guest addresses from the plurality of sets of guest addresses based on the identity of the computer system requesting an assignment of an address. Then, the operation selects the address for the computer system from the selected one set of guest address that is selected from the plurality of sets of guest addresses. There may be multiple sets of guest addresses, for example, to enforce different levels of access control within the network. For instance, one set of guest addresses may allow guest computers to have access to certain sub-networks, while another more restrictive set of guest address may allow little or no access to any components within the local network, but may provide a tunnel out to the Internet.
In one such an embodiment, the plurality of sets of guest addresses includes a set of more restrictive guest addresses and a set of less restrictive guest addresses. Data communications devices within the first network in this embodiment are configured to provide data transport facilities to a component on the first network for data portions transported in the first network that have a guest address selected from the less restrictive guest addresses. The data communications devices are further configured to provide no data transport facilities to the same component on the first network for data portions transported in the first network that have a guest address selected from the more restrictive guest addresses. It may be the case the identity of a guest computer system turns out to be associated with a remote domain of a competing company, for example. In this case, the more restrictive guest address assignment causes the data communications device to prevent the competitor guest computer system from penetrating the local network and provides enhanced security.
In another embodiment, the invention propagates the set (or sets) of guest addresses to data communications devices within the first network such that the data communications devices within the first network provide limited transport of data communications messages that use a guest address as specified in the at least one set of guest addresses.
In another configuration, the invention includes the operation of determining if the computer system coupled to the first network is an un-trusted computer system, and if so, providing an indication to the computer system that no address has been assigned for use on the first network.
In yet another configuration, the operation of determining if the computer system coupled to the first network is an un-trusted computer system includes the operations of determining a remote domain of a second network with which the computer system purports to be associated and determining if the remote domain is different than a local domain of the first network, and if so, identifying the computer system as an un-trusted computer system, and if not, identifying the computer system as a local computer system.
In yet still another configuration, the operation of determining if the computer system coupled to the first network is an un-trusted computer system includes the operations of determining a remote domain of a second network with which the computer system purports to be associated and determining if the remote domain is different than a local domain of the first network, and if so, identifying the computer system as a guest computer system, and if the domain of the computer system is not different than the domain of the first network, identifying the computer system as a local computer system.
According to another configuration, the operation of determining if the computer system coupled to the first network is an un-trusted computer system includes the operations of determining a domain of a second network with which the computer system purports to be associated and communicating with a verification computer system on the second network to verify if the computer system is associated with the domain of the second network. The operation also includes receiving an indication from the verification computer system on the second network that indicates if the computer system is associated with the domain of the second network, and identifying the computer system as a guest computer system if the indication indicates that the computer system is associated with the domain of the second network. Alternatively, this same configuration includes the operation of identifying, if the indication indicates that the computer system is not associated with the domain of the second network, that the computer system is an un-trusted computer system. This allows an address server performing such operation to properly identity a requesting computer system as either a guest, a local or an un-trusted computer system.
In another configuration, if the computer system is a guest computer system, a data communication device within the first network that receives data portions containing the guest address selectively transports the data portions containing the guest address only on routes designated for transport of the data portions containing the guest address. This allows the network to provide access control based on address assignments.
In accordance with another arrangement, the computer system is assigned a guest address which allows the computer system coupled to the first network to send and receive data communications through selective routes established on the first network that provide access only to other computer systems that are not associated with the first network. In other words, this arrangement only provides a xe2x80x9ctunnelxe2x80x9d of access to other networks through the first network, thus preventing a guest computer system from xe2x80x9chackingxe2x80x9d into the first network.
In another configuration, the address server on the first network is a Dynamic Host Control Protocol server and uses a version of the Dynamic Host Control Protocol that employs the operations of receiving a request, assigning an address (guest or local) and providing the address to a computer system in order to provide address assignments to guest and local computer systems that are coupled to the first network. This embodiment thus provides an extension to a DHCP equipped address server to provide further functionality and access control.
Other arrangements of the invention provide that the operation of receiving, receives the request for an assignment of an address from a computer system in a secure manner that uses key encryption technology to verify and authenticate the identity of the computer system requesting an assignment of an address. Public or private key encryption technology may be used, though preferred embodiments use public key technology, as will be explained. Such embodiments provide for even further security via secure verification and authentication of parties such as the address server, computer systems and remote verification systems in a communications session.
In another embodiment, when an address server receives the request for an assignment of an address, the operation of receiving includes the steps of obtaining clear text information and a doubly encrypted version of the clear text information contained in the request for an assignment of an address from the computer system and obtaining a public key associated with the computer system. Then, this embodiment decrypts the doubly encrypted version of the clear text information with a private key of the receiver of communication to produce a result and then decrypts the result with the public key of the computer system to produce a final result. The operation then includes the step of comparing the final result with the clear text information to verify the authenticity and identity of the computer system requesting an assignment of an address. In this manner, security is assured.
Other embodiments of the invention include a method for providing network security using address assignments. In one such embodiment, the method, which preferably operates in a data communications devices in a first network, comprises the steps receiving guest network address information indicating a computer system coupled to a first network has been assigned a guest address and is a guest computer system of the first network. This allows data communications devices in the network to have xe2x80x9cknowledgexe2x80x9d of guest address information such as sub-network guest address ranges, guest address assignments, and so forth. The operation also includes the steps of configuring at least one selective route within the data communications device upon which data portions containing the guest address may be transported through the data communications device and then transporting data portions containing the guest address using only one protective route within the data communications device and not on other routes within the first network so as to inhibit the computer system that has been assigned the guest address from performing data communications on routes in the first network other than the protective route(s). This operation is generally referred to herein as selective transport or routing.
In another embodiment, the step of configuring at least one protective route within the data communications device configures a route to allow data portions that contain the guest address to be transported to a network device coupled to another network other than the first network.
In still another embodiment, the guest address is contained in a source location of the data portion that indicates an identity of the computer system that originated the data portion and wherein the guest network address information is received from an address server on the first network.
The invention also provides embodiments related to configurations of computerized devices. According to some of such embodiments, an address server computer system is provided that includes a network interface coupled to a first network, a processor, a memory system encoded with address assignment instructions and encoded with at least one set of guest addresses and a set of local addresses, and an interconnection mechanism coupling the one communication port, the processor, and the memory system. In this arrangement, the processor performs the address assignment instructions encoded within the memory system to cause the address server to perform the operations related to address assignment, authentication, and verification, as summarized above. In one particular embodiment, these operations cause the processor to receive, via the network interface, a request for an assignment of an address from a computer system coupled to the first network and assign, within the memory system, a guest address as the address to the computer system selected from the at least one set of guest addresses if the computer system is identified as a guest computer system, and to further assign a local address as the address to the computer system if the computer system is identified as a local computer system. The address server is also configured to provide, via the network interface coupled to a first network, the address assigned to the computer system, to that computer system, if at least one of a guest address and a local address are assigned to the computer system to allow the computer system to perform data communications on the first network. If neither a guest nor a local address are assigned (such as the case may be if the address server was unable to verify the identity of the guest computer system) then no address is assigned.
According to another arrangement, the processor performs the address assignment instructions encoded within the memory system to further cause the address server to determine if the computer system coupled to the first network is at least one of a guest computer system and a local computer system. If the processor performs the address assignment instructions to determine that the computer system is a guest computer system, the processor selects an address for the computer system from the at least one set of guest addresses encoded in the memory system. The benefits of multiple sets of guest addresses are outlined above, though only one set of guest addresses may be used. Alternatively, if the processor performs the address assignment instructions to determine that the computer system is a local computer system, the processor selects an address for the computer system from a set of local addresses encoded in the memory system.
In another configuration, when the processor performs the address assignment instructions encoded within the memory system to determine if the computer system coupled to the first network is at least one of a guest computer system and a local computer system, the processor also performs the address assignment instructions to cause the address server to determine if the computer system purports to be associated with a remote domain of a second network that is coupled to the first network. The address server is also configured in this embodiment to communicate, via the network interface on the first network, with a verification computer system on the second network to verify if the computer system is associated with the remote domain of the second network and to receive an indication, via the network interface on the first network, from the verification computer system on the second network, that indicates if the computer system is associated with the remote domain of the second network.
In another arrangement, the set(s) of guest addresses includes a plurality of sets of guest addresses and when the processor selects an address for the computer system from at least one set of guest address, the processor further performs the address assignment instructions to cause the address server to determine an identity of the computer system requesting an assignment of an address. The address server is also configured to select one set of guest addresses from the plurality of sets of guest addresses based on the identity of the computer system requesting an assignment of an address. If the identity, for example, indicated that the guest computer system were from an unknown domain, then the computer system can be considered un-trusted but can still receive a guest address. However, the guest address will be quite restrictive in its ability to allow data communications to be transported via the data communications devices within the first network. For instance, the data communications devices in one configuration might only provide a tunnel to other networks besides the first network. The address server is also configured to select the address for the computer system from the selected one set of guest address that is selected from the plurality of sets of guest addresses.
Other embodiments of the invention include data communications devices within the network that are configured to recognize guest computer system data communications and selectively route such data communications. For example, such embodiments include a data communications device that comprises a plurality of network interfaces for sending and receiving data portions within a network, a memory system for maintaining guest address assignment information and a processor coupled to the plurality of network interfaces and the memory system. The processor maintains a plurality of routes for data portions between the plurality of network interfaces. The processor also receives a data portion containing a guest address as determined by the guest address assignment information and the processor routes the data portion containing the guest address only on selected routes designated by the guest address assignment information as being accessible by data portions containing guest addresses. This limits the areas within a local network that a guest computer system having such a guest address can access.
In another configuration of a data communications device, the processor receives a data portion containing both a guest address and a destination address of a component within the network that is reachable via a route that is not one of the selected routes designated by the guest address assignment information as being accessible by data portions containing guest addresses. In other words, the data portion is sent from a guest computer system that is attempting to access a restricted area of the network. In this configuration, the processor denies transport of the data portion containing the guest address to the component within the network specified by the destination address in the data portion. In a related embodiment, if a guest computer systems attempts such un-allowed restricted access, the data communications device can flag a network management entity to disable access. Alternatively, the address server can be informed of this violation and can un-assign the guest address. This will disable the guest computer system from being able to perform data communications on the local network.
Embodiments of the invention also include computer program products such as disks, or other readable media that have a computer-readable medium including computer program logic encoded thereon for assigning addresses to computer systems according to the methods and configurations explained above. Such computer program logic, when executed on at least one processing unit with the computerized device, causes the processing unit to perform any or all of the aforementioned methods.
The aforementioned methods and arrangements of the invention (and those discussed in detail later) are preferably implemented primarily by computer software and hardware mechanisms within a data communications device apparatus. The computer program logic embodiments, which constitute one or more software programs, when executed on at least one processing unit with the data communications device, cause at least one processing unit to perform the techniques and methods outlined above, as well as all operations discussed herein as the invention. In other words, these arrangements of the invention are generally manufactured as computer program software code (source and/or object) which is stored on a disk, memory (e.g., firmware, PROM, RAN, FLASH, etc.), card, or within a prepackaged operating system or other such media. Such programs can be loaded into the memory of a computer or data communications device and one or more processors in the device can execute such programs and code to cause the device perform according to the operations of the invention. In such cases, the code or program(s) alone is/are embodiments or the invention, and one or more computer systems or data communications devices encoded with and operating such programs are also considered embodiments of the invention. The software to carry out the operations of the invention alone, on a disk for example, is also an embodiment. Furthermore, in this invention, an address assignment protocol such as a version or variant of DHCP that is extended with the functionality of this invention is considered an embodiment of the invention as well.
The features of the invention, as summarized above, may be employed in data communications devices and/or other computerized devices and/or software systems to control or otherwise operate such devices such as those manufactured by Cisco Systems, Inc. of San Jose, Calif. An example of a software operating system that can employ embodiments of the invention is the Cisco Internetworking Operating Systems (IOS) developed and manufactured by Cisco Systems, Inc.